Forgive the Vanilla Ice lead-in, but whenever you sell customer data you really should stop for a moment, collaborate with appropriate counsel and listen to what your users might think about it. So let’s look to France and hope this post doesn’t kill your brain like a mushroom. Ouch, that hurt alittle. Sorry.
Do you have a nice data file with customer information? If you are in France, you need to inform the authorities. Otherwise your sale of your entire company may be jeopardized. Even if you aren’t in France, the implications of a recent French Supreme Court decision are profound. It really brings home to roost that privacy by design extends along the entire lifecycle of your business, including dissolution.
Brad Spitz wrote last week in the Kluwer Copyright Blog about a recent decision by the French Supreme Court that you should pay attention to. There are a few reasons why you should. If you operate in Europe, this is the standard you will be held to. If you don’t, it is still a lesson in privacy by design to be learned.
I am not entirely sure of the fact pattern here as my reading of them is through Google’s translation of the court’s decision. I think this was a brick-and-mortars business that kept their customer contact list in a computerized file. While probably quite large, it doesn’t appear that it was an electronic collection.
- Your collect data from your consumers, including personal data
- You store that data in a customer file database
- You didn’t inform the customer properly, and you didn’t inform the authorities either
- During the dissolving of the company, the file was used as an asset
The Court actually held that the sale was null. Not because of the lack of notification to the consumer, but because the company did not notify the French personal data authority CNIL of the file in the first place. Since the lack of CNIL notification made the file illegal on its face, it could not be the subject of any further agreements.
If you operate in France, this will add a level of complexity to any corporate sales agreements that you may not have planned for. I don’t have enough grounding in French data protection laws to even opine on this particular decision. All I can say is take it into account.
For those of you that don’t operate in France at all, you can learn something from this. The first thing is it should inform your ‘privacy by design’ discussions. When you are designing new systems, new databases or new user experiences think far ahead. The second is do the right thing with user data, always.
Privacy by Design
What I found most troubling in this example was the lack of understanding of the sensitivity of the file. The lack of filing with the CNIL shows that the company in question did not fully understand what they were collecting. I don’t know what they were collecting, so perhaps it was something they didn’t consider to be particularly sensitive. Each jurisdiction has different rules on what is personal and what is not. How about this for a definition – If ANY of your customers would think that ANY information you are collecting is sensitive, THEN IT IS SO. It is in the eyes of your consumers. Protect that information.
I suggest two options. Either have a stand along plain language privacy statement, which then further links to your “robust no one ever reads this” privacy statement. Or consider a simple plain language introduction. Tell your users what you will and will not do.
Here is what that statement should contain, and what you should commit to:
- What data do you collect, and how you collect it and why you collect it
- What data you do not collect
- Do you supplement the provided data with other data, such as mailing lists.
- How you will use that data
- How you will not use that data
- Do you sell data
- Provide them a simple way to turn off the use of their data
Your Audience and Doing the Right Thing
Don’t forget who you are dealing with. Who you are not dealing with are people just like you. You should be thinking of how your statements and actions will be perceived by your users. Not how you would argue. How it would be perceived. If you control for your users, regulators should be no concern. Though I would spend some time thinking about how they will look at it. Again, not how you argue your actions to the regulator, but how it will be perceived. If you have really taken into consideration the users, this will be easy.
Don’t stop at just what is minimally required, please. Look beyond that to what you would want if you were on the other side. Consider the most sensitive of your users and setup a system for them. This may seem like overkill. I don’t think it is.
The problem is generally the use of data. Allow for control over that conduit, the use, and I think you can control for even the most sensitive of users. This is simplistic, but consider a flag in the user’s data file that is a simple binary allow/deny. When requesting data, respect the flag. Allow the user to set the flag, both at the point of data collection and at some point after.
Selling Your Company, Not Your Soul, and It’s Data
Dissolving a company is never a fun thing to do. One of your intangible assets is your customer contact list. It can be quite valuable. That is why companies try to prevent employees from taking it with them when they leave. It has also led to some interesting litigation around LinkedIn connections. You need to still do the right thing when you dissolve your company.
On the flip side if you are acquiring the assets of a company through some type of dissolution, do your full due diligence. How was the file created? Was there some type of notification required? Did the notification take place? Can you even sell the data further along down the line? If not, the value of that file may be diminished.
Later This Week on SoLoMoLaw
The National Telecommunications Industry Association (NTIA) released it’s draft code of conduct for short form mobile privacy notices last week. This week we will look at it in greater detail and highlight some sections that I think you should pay greater attention to.